INNER JOIN and WHERE clause with session

Question

I am trying to join three tables and also bring in a tutID session so it carries it through from the previous page. The commented out SQL statement is needed to be in the SQL statement.

<?php
session_start(); 
if (!isset($_GET['tutID']) || !is_numeric($_GET['tutID']))
{
header('Location: ./allTutorials.php');
}
else
{

// Include databse connection file
include('./inc/connection.inc.php');

// Get record details
connect();

$tutID = $_GET['tutID'];
/*$sql =    "SELECT * FROM tutorials WHERE tutID = '$tutID' ";*/
$sql = "SELECT * FROM tutorials INNER JOIN tutorialimages ON tutorials.tutID = tutorialimages.tutID INNER JOIN images ON images.imageID = tutorialimages.imageID" ;


$result = @mysql_query($sql) or die('Unable to run query');
$record = mysql_fetch_object($result);

mysql_close();  
?>

Answer 1

Add WHERE in your JOIN query -

$sql = "SELECT * FROM tutorials 
        INNER JOIN tutorialimages ON tutorials.tutID = tutorialimages.tutID
        INNER JOIN images ON images.imageID = tutorialimages.imageID 
        WHERE tutorials.tutID = " . ((int) $tutID)
;

You'll notice I've re-cast the tutorial ID to an integer. This is a safety measure to prevent a malicious user from injecting SQL into your query. Whilst this is safe, it would be better to switch to a database engine that offers parameterisation , which makes this easier.